Lessons From Report on Massive Singapore Healthcare Hack

A variety of security weaknesses - ranging from misconfigurations to coding vulnerabilities, untrained staff and flawed incident response - contributed to a 2017 cyberattack impacting about 1.5 million patients of SingHealth, Singapore's largest healthcare group. That's the conclusion of a new report issued by a committee designated to examine the breach.

"The key findings in the report .... on the cyberattack on Singapore Health Services' patient database read like most audits or risk assessments performed at U.S. healthcare organization," says former healthcare CIO David Finn, an executive vice president at security consulting firm CynergisTek.

The breach exposed data on about 1.5 million patients who visited organizations that are part of SingHealth. The incident exposed personal information for more than 25 percent of the country's residents, government officials say.

Attack Details

The committee's report notes that the attack "of unprecedented scale and sophistication" was carried out between July and August 2017 on a patient database. "The crown jewels of the SingHealth network are the patient electronic medical records contained in the SingHealth Sunrise Clinical Manager database," the report notes.

The Integrated Health Information Systems Private Limited, or IHiS, is Singapore's Ministry of Health's division responsible for administering and operating the SCM system, including implementing cybersecurity measures. IHiS was also responsible for security incident response and reporting, the report notes.

Evidence suggests that the initial intrusion was through a phishing attack, which led to malware being installed and executed on a workstation, the report notes.

The committee found a high probability that a coding vulnerability in the SCM application allowed the attacker to easily retrieve the credentials of an account that then enabled the attacker "to cross the last-mile to the SCM server, as it could be used to make SQL queries to the database."

Key Findings

Among the report's key findings:

IHiS staff did not have adequate levels of cybersecurity awareness, training and resources to appreciate the security implications of their findings and to respond effectively to the attack.

Certain IHiS staff holding key roles in IT security incident response and reporting failed to take appropriate, effective or timely action, resulting in missed opportunities to prevent the stealing and exfiltrating of data in the attack.

A number of vulnerabilities, weaknesses and misconfigurations in the SingHealth network and SCM system - many of which could have been remedied before the attack - contributed to the attacker's success in obtaining and exfiltrating the data,

Top Recommendations

Based on the findings, the report laid out more than a dozen recommendations for addressing the security weaknesses and other issues that contributed to the cyberattack.

The top recommendations mainly highlight security basics, including:

Adopting an enhanced security structure and readiness;

Improving staff awareness on cybersecurity to enhance capacity to prevent, detect and respond to security incidents;

Common Themes

The U.S. healthcare sector has also been the target of massive cyberattacks - the largest so far being the hacking of health insurer Anthem Inc. in 2014 that resulted in a breach of nearly 79 million records.

In addition, hundreds - if not thousands - of other U.S. healthcare entities have struggled with ransomware and phishing attacks and other assaults that have involved the various contributing issues that were highlighted in the report about the SingHealth hack.

"The risks to most organizations from a breach are simply too high to continue to be ignored by executive and board-level leaders."
—Jon Moore, Clearwater Compliance

The top issues cited in the report that are also most common in the U.S, Finn says, are the lack of awareness and training; unpatched vulnerabilities - including some identified in early penetration tests and still unpatched; and the finding that older defenses could not detect or identify an advanced persistent threat, Finn notes.

"None of these would be surprising in most healthcare organizations in the U.S.," he adds.

Shared Problems

The top recommendations from the report read "uncannily like the Department of Health and Human Services' Health Care Industry Cybersecurity Task Force Report," Finn says.

"Both reports talk about partnership between government, industry and providers to enhance security across the sector - or collective security. Both talk about standardizing risk assessments and frameworks and to take them seriously."

Keith Fricke, principle consultant at tw-Security, observes: "Controlling privileged access is at the top of the list for me. Criminals using compromised credentials with elevated privileges provides them with significant unauthorized capability to read, write, delete and copy data. Competent criminals can sometimes use the elevated privileges to hide their tracks too."

Vulnerability management and recurring workforce awareness training are crucial, he says. "Knowing where high risk vulnerabilities exist and mitigating them goes a long way in reducing opportunities for breaches to occur. Security has to be top of mind for workers because criminals never tire in their quest to gain unauthorized access to valuable information."

Another important security consideration for healthcare organizations worldwide, Fricke says, is the need for resiliency and business continuity capability. "Without a solid backup/restore plan, organizations will face periods of operational downtime until a ransom can be paid, or suffer from data loss in the case of malware such as NotPetya."

"That means having the appropriate governance in place, understanding the risks within their unique environment, treating risks that exceed their organization's risk threshold, and continuously monitoring their environments to make sure the safeguards they have in place are functioning appropriately and that any new risks are identified and addressed," he says.

Cyber risk management should be part of an organization's overall enterprise risk management program, Moore says.

"The risks to most organizations from a breach are simply too high to continue to be ignored by executive and board-level leaders. Most modern organizations are dependent on maintaining the confidentiality, integrity and availability of electronic data to fulfill their mission, yet far too often the risks to patient safety, capital and earnings from the compromise of their information systems is underappreciated."

About the Author

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.eu, you agree to our use of cookies.